The body is a JSON object where the names of the fields are the application
names and the value of each field is an object. The fields in this inner
object are the names of the privileges and each value is a JSON object that
includes the following fields:

actions

(array-of-string) A list of action names that are granted by this
privilege. This field must exist and cannot be an empty array.

metadata

(object) Optional meta-data. Within the metadata object, keys
that begin with _ are reserved for system usage.

These strings have significance within the "myapp" application. Elasticsearch does not
assign any meaning to them.

The use of a wildcard here (*) means that this privilege grants access to
all actions that start with data:read/. Elasticsearch does not assign any meaning
to these actions. However, if the request includes an application privilege
such as data:read/users or data:read/settings, the
has privileges API respects the use of a
wildcard and returns true.

The metadata object is optional.

{
"myapp": {
"read": {
"created": true
}
}
}

When an existing privilege is updated, created is set to false.

To add multiple privileges, submit a POST request to the
/_security/privilege/ endpoint. For example: